May 29th, 2002 05:39 PM
Good Day of Engineering
For all you fellow consultants out there...
Received a call from a client of mine who has been very diligent about tightening their security. He wanted me to come out, unannounced, and see if I could gain access to his network through any means necessary. (I love it when somebody dares me to get in...)
Anywho, arrive on site. Meet w/client and his CIO, "Bill" (not his real name). They inform me that nobody on duty knows who I am and they have no idea that I am coming or what I will be up to.
I check server room - locked. Blinds on windows are closed. Brand new lock installed on door which requires use of smart card and pass code. Nice touch considering that 6 months ago the servers were sitting on a table in the corner of the room with no door, etc... Serious nightmare.
Start finding empty offices. Look under keyboards, in desk drawers, etc, no passwords found. Start a few workstations (NT & 2000), no display of last logged on user name. Gonna be harder than usual... no workstations powered on in unoccupied offices.
Watch for employees to go to leave their desks. They are all locking their workstations... somebody has been paying close attention to policy and training.
Go through the entire morning, without being able to snag acount info. A major accomplishment for this group of folks who had no idea about information security just a few months ago. Talk to several employees and try to weasel some info out of them. Each one notifies security, who are nice enough to detain me in a rather clinical-looking room until "Bill" comes and informs them that I'm a "good guy". Not sure I liked how he said that, and really not liking the fact that their security guards are armed and had no forwarning that I was there...
As I leave the security room, I notice that "Bill" has gone down the hallway away from his office.... Hmmm haven't been in here yet. Workstation is locked, no passwords written in usual places... Oh yeah - ROLODEX! Find phone number for their web host (who also happens to be the email admin as the mail comes through their website), bingo!
Call hosting service and talk to "Gary" (again, not his real name) at about 12:25pm. Tell "Gary" I am an IT consultant from "My Company" working at "Company XYZ" and that we're having problems with 4-5 email accounts not receiving mail. Also tell him one of the email links on the website is incorrect as it links to a person different than it indicates (which was an actual problem).
Seems "Gary" is late for a lunch appointment and needs to get going, but he is kind enough to give me the admin logon info for the web site AND the mail server. And for good measure tells me if "Bill" isn't around his logon info is "username" and "password"! Too easy.
Logon to Bill's machine. Go to the web site, alter it slightly (added some text to the bottom of the home page). Sent an email to "Bill" from his own account, then shut down all email delivery, sending all mail to queues. Surf the network and find that the PDC is an NT machine. Copy SAM through admin share and put it on a floppy ("Bill" has Domain Admin priviledges!). Logoff of "Bill's" system and go down the hall to one of the unoccupied offices. Fire up the ol' notebook and L0pht Crack - copy SAM from floppy to HDD and start ruining what is left of "Bill's" day.
Let LC do it's thing for about 30-45 minutes while I'm out wandering around giving "Bill" the impression that all is okay in the world. Complaints start to roll in about no email. Tell "Bill" I will look into it before I leave. Go back to office where notebook is, stop LC and IR print to HP in the office. 14 passswords snagged, to include "Bill's" and several other folks who have higher than normal priviledges...
Type up quick letter to client documenting everything I have done to include usernames and passwords that have been compromised. Deliver bad news to client, "fix" the things I altered, tell client to call me when they want me to come back with more training or solutions and leave - thanking the IT gods that I'm not in "Bill's" shoes...
It all goes to show, you can lock it down and take all the precautions you can think of, but sometimes all it takes is an innocent looking phone number and a call to somebody who could care less about your systems -- and you're cooked.
May 29th, 2002 05:51 PM
May 29th, 2002 05:52 PM
And there are still people who will tell you social engineering is not hacking....
\"Ignorance is bliss....
but only for your enemy\"
May 29th, 2002 05:53 PM
Oh you are so right! one weak link make the whole chain usleless.
Integrity...loyalty.....and the willingness to make a better world for us all.
May 29th, 2002 05:55 PM
sweet! i would of done pretty much the same thing... I could imagine the look of the admin after he found out how you raped thier network LOL You hit it right on the spot what i would of tried LOL If the whole workshop is an NT enviroment, LC3 and lC4 work like a charm, even on xp clients.....
May 29th, 2002 06:14 PM
As a matter of fact their CIO is an old mainframer who has little understanding of client-server networks. As a matter of fact, he's really old school mainframe and pretty much hates the whole idea of having distributed processing and distributed control. We argue all the time...
First off, why did the IT consultant have someone else's password? Why did he give it out? Sounds like they need to stop using a consultant that can fall for a stupid social engineering trick.
But they use a host for their website, cuz they actually don't have anybody on staff with either the experience or the desire to run the web site. (I think it may be a motivational problem, truthfully.) And since the host offered an email solution to them, they jumped on it rather than install their own (against my advice).
I advised them against the hosting idea w/email. I said "if that's the route you want to go with your web site, then okay, but don't let them admin your mail, as it puts you at their mercy when things get screwed up..." And I didn't say it in so many words, but I basically told them that they paid good money to have me come onsite to do my first 3 assessments and that it was their choice to go against my advice, I get paid one way or another. And now, I'll get paid to go back at least one more time...